iBeacons, privacy, and security

The technology is at risk of dying off — and that would be a shame.

iBeacons and various BLE technologies have the potential to shake up many established ways of doing business by streamlining interactions. Although there are potentially many uses for iBeacons, much of the initial discussion has focused on retail. (I’ll follow up with some examples of iBeacon applications outside retail in a future post.)

As I described in my initial post in this series, all an iBeacon does is send out advertisement packets. iBeacon transmissions let a receiver perform two tasks: uniquely identify what things they are near and estimate the distance to them. With such a simple protocol, iBeacons cannot:

Receive anything. (Many iBeacon devices will have two-way Bluetooth interfaces so they can receive configurations, but the iBeacon specification does not require reception.)

Report on clients they have seen. Wi-Fi based proximity systems use transmissions from mobile devices to uniquely identify visitors to a space. If you take a smartphone into an area covered by a Wi-Fi proximity system, you can be uniquely identified. Because an iBeacon is only a transmitter, it does not receive Bluetooth messages from mobile devices to uniquely identify visitors.

Allow mobile devices to learn about other mobile devices nearby. With a protocol that consists of transmissions from iBeacons received by listeners, there is no way for a listener to learn whether there are any other nearby receivers, or indeed, whether there are any other receivers in the area.

Broker device-to-device communications. As an iBeacon has no way of learning what receivers are in the area, and receivers have no way of learning what else is in the area, the protocol does not enable devices to find each other.

Transmit a message to a mobile device. An iBeacon’s transmission consists of three numbers to uniquely identify a space. To display a text message on a device’s display, an app needs to translate those numbers into an action; without an app running on the receiver, nothing happens.

Get access to latitude and longitude information. iBeacons transmit identification numbers, not a geographic location. In order to get latitude and longitude, an app would need to either use a technology like GPS or translate an iBeacon’s numerical identifiers into a geographic location using a mapping database.

Collect information without permission from the user. Before the iOS CoreLocation API will allow an application to access information on iBeacons, users must enable location services. Each application must also be granted permission. On Android, access is granted at install time for applications that need to access Bluetooth information.

Simple protocols are easy to implement. An additional benefit of a simple protocol is that it has well-understood privacy implications. In the case of iBeacons, privacy is controlled by the permissions that a user gives to an application. For end users, iBeacons themselves are not a privacy threat — applications are. At this point, the current state of privacy controls are too blunt an instrument. On iOS, for example, end users can toggle CoreLocation for all applications as well as each application on an individual basis. However, it is not possible to control the individual components of CoreLocation. If an application requests location capabilities, the end user is opting in to GPS, Wi-Fi, and iBeacon, and applications can use that information in any way they see fit.

Unless it becomes easier to control how applications use iBeacon information, the technology is at risk of being understood primarily as a method for retailers to access private location information via data gathered through their apps. If iBeacon as a whole is associated primarily with coupons and ads pushed to shoppers’ phones as they walk through the store, it might scare end users into rejecting the technology, even for use cases that have much less significant privacy implications, such as for finding a particular item in the store. In the worst-case scenario, customers will completely opt out of using iBeacons, which will not only prevent convenient customer use cases like finding items, but might even inhibit non-retail uses of the technology, such as improving home automation or helping museum patrons better experience their visit.

Mobile ecosystems have a role in advocating for the end users, who often lack the time and technical expertise to dive deeply into the technology. Apps need to be more clear about how location information will be used (and, perhaps more importantly, stored), and the approval process for publishing apps could do a better job of preventing “unacceptable” privacy practices.

We are at a critical point for end users. Although sophisticated users who know how the technology works under the hood can make subtle trade-offs, if most users understand “iBeacon” to be “that thing that pushes ads I don’t want” or “the thing that lets retailers track me,” the technology will die off as users either get annoyed or nervous. And that would be a shame because there is so much more to iBeacons than mobile advertising.

Get the O’Reilly Hardware Newsletter

Excellent article Matthew. Thank you for sharing. We certainly are at a critical point for business and consumer and the more we can do to help understanding the more likely ibeacons become accepted because of the value they create (as opposed yor the potential mis use of apps). Rather than challenge the ibeacon technology I would suggest consumer should challenge which third party apps to download. One can note that ibeacon technology is already integrated into the native iOS app – passbook – which delivers a more precise form of location. When deployed correctly this provides ultra convenience for a pass holder to quickly access a coupon, store card, loyalty point card just as they near the sales assistantto collect points of pay for goods.

Adam Logghe

Some things are best simple.

As you’ve described it, iBeacon genuinely seems too simple to be useful beyond it’s apparently very narrow use case.

It’s seems targeted and only useful to “I have the supermarket/department store X app installed on my device”.

All it really needed to do to make it more generally useful was to add a url to the transmission. If that url lead to a landing page with some basic linked data/microformats a very large variety of uses could develop.

“You are near an iBeacon that has a map of the local area, there is a restroom 50m north”

“Here is a menu for the restaurant you are standing in the doorway of, would you like a table?”

To retail store, one shortcoming of iBeacon is spoofing. Everyone with iDevice could scan and spoof iBeacon UUID/major/minor easily in retail stores, and screw up the micro-locationing.

Even there is a way to update UUID dynamically on iBeacon transmitter (and app as receivers), spoofer could listen to new UUID and repeat the spoofing.

Perhaps another system is needed to detect those spoofing iBeacon transmitter units in store. Or large number of iBeacon (how many then?) is deployed and one or two spoofing units could be ruled out.

Matthew Gast

As it stands, the iBeacon protocol is incredibly simple (and has no cryptography). I think there’s a huge opportunity to build security on top of iBeacon networks, not least by having a monitoring system that detects spoofing.

Graeme Gibson

The iBeacon system we deploy in our illumiEye location services overcomes that issue. The capability is at the hardware level and allows us to control access to the installed beacons to overcome exactly the issue you highlight. Recently installed at London City Airport, UK, we have complete control over who can and can not access the beacon infrastructure.

May you share more about the measure used? Is the restriction on pairing?

Graeme Gibson

Hi King-On, no the restriction is not on pairing. We use standard signal strength to maintain maximum battery performance.

Graeme Gibson

As suggested by Matthew Gast, we use cryptography to allow us to control knowledge of the specific beacons when sighted. Other applications may still monitor the signal strength but they have no reliable knowledge of which beacon transmitted the signal unless authorised.

OnlineBangalore16

The delicate beauty of flowers as an offering of sympathy is an age old practice that
signifies compassion, thoughtfulness, and warmth. Sending flowers is always
appropriate. A flower arrangement sent to the home of the surviving members is
often considered an even more earnest and thoughtful gesture. When words can’t
express all your feeling, this reverent arrangement communicates your heartfelt
sympathies. Order Online Condolence Flowers to Bangalore and show your
emotions.

Peter Parker

Thanks for sharing a valuable information about iBeacons, If anyone want to know more about iBeaons click on mobilepundits case study.